WHAT IS CLAIMED IS: 



2 1. Apparatus for deterring failure of a computing system; 

2 said apparatus comprising: 

3 an exclusively hardware network of components , having 

4 substantially no software; 

5 terminals of the network for connection to such system; 

6 and 

7 fabrication-preprogrammed hardware circuits of the net- 

8 work for guarding such system from failure. 



1 2. The apparatus of claim 1, particularly for use with such 

2 system that is substantially exclusively made up of substan- 

3 tially commercial, off-the-shelf components; and wherein: 

4 at least one of the network terminals is connected to 

5 receive at least one error signal generated by such system in 

6 event of incipient failure of such system; and 

7 at least one of the network terminals is connected to 

8 provide at least one recovery signal to such system upon re- 

9 ceipt of the error signal. 
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3. The apparatus of claim 2, wherein: 

the circuits comprise portions fabrication-preprogrammed 
to evaluate the at least one error signal to establish charac- 
teristics of the at least one recovery signal. 

4. The apparatus of claim 1, further comprising: 
such computing system. 

5 . The apparatus of claim 1 r wherein : 

the circuits comprise portions for identifying failure of 
any of the circuits and correcting for the identified failure. 

6. The apparatus of claim 1, particularly for use with a 
computing system that has at least one software subsystem for 
conferring resistance to failure of the system; and wherein: 

the circuits comprise substantially no portion that in- 
terferes with such failure-resistance software subsystem. 
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7. The apparatus of claim 1, particularly for use with a 
computing system that is substantially exclusively made of 
substantially commercial, off-the-shelf components and that 
has at least one hardware subsystem for generating a response 
of the system to failure; and wherein: 

the circuits comprise portions for reacting to said re- 
sponse of such hardware subsystem. 

8. The apparatus of claim 1, particularly for use with a 
computing system that has plural generally parallel computing 
channels; and wherein: 

the circuits comprise portions for comparing computatio- 
nal results from such parallel channels . 

9 . The apparatus of claim 8 , wherein : 

the parallel channels of the computing system are of di- 
verse design or origin. 
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10. The apparatus of claim 1, particularly for use with a 
computing system that has plural processors; and wherein: 

the circuits comprise portions for identifying failure of 
any of such processors and correcting for identified failure. 

11. The apparatus of claim 1, wherein: 

the circuits comprise modules for collecting and respond- 
ing to data received from at least one of the terminals, said 
modules comprising : 

at least three data-collecting and -responding mod- 
ules , and 

processing sections for conferring among the modules 
to determine whether any of the modules has 
failed. 
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1 12. The apparatus of claim 1, particularly for use with a 

2 computing system that is substantially exclusively made of 

3 substantially commercial, off-the-shelf components and that 

4 has at least one subsystem for generating a response of the 

5 system to failure, and that also has at least one subsystem 

6 for receiving recovery commands ; and wherein : 

7 the circuits comprise portions for interposing analysis 

8 and a corrective reaction between the response-generating sub- 

9 system and the command-receiving subsystem. 

1 13. Apparatus for deterring failure of a computing system; 

2 said apparatus comprising: 

3 a network of components having terminals for connection 

4 to such system; and 

5 circuits of the network for operating programs to guard 

6 such system from failure; 

7 the circuits comprising portions for identifying failure 

8 of any of the circuits and correcting for the identified 

9 failure . 
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1 14. The apparatus of claim 13, wherein: 

2 the program-operating portions comprise a section that 

3 corrects for the identified failure by taking a failed circuit 

4 out of operation. 

1 15. The apparatus of claim 14, wherein: 

2 the program-operating portions comprise a section that 

3 substitutes and powers up a spare circuit for a circuit taken 

4 out of operation. 

1 16. The apparatus of claim 13, further comprising: 

2 such computing system. 



1 17. The apparatus of claim 13, wherein: 

2 the program-operating portions comprise at least three of 

3 the circuits; and 

4 failure is identified at least in part by majority vote 

5 among the at least three circuits. 
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1 18. The apparatus of claim 13, particularly for use with a 

2 computing system that has at least one software subsystem for 

3 conferring resistance to failure of the system; and wherein: 

4 the circuits comprise substantially no portion that in- 

5 terferes with such failure-resistance software subsystem. 

1 19. The apparatus of claim 13, particularly for use with a 

2 computing system that is substantially exclusively made of 

3 substantially commercial, off-the-shelf components and that 

4 has at least one hardware subsystem for generating a response 

5 of the system to failure; and wherein: 

e the circuits comprise portions for reacting to said re- 

7 sponse of such hardware subsystem. 

1 20. The apparatus of claim 13, particularly for use with a 

2 computing system that has plural generally parallel computing 

3 channels; and wherein: 

4 the circuits comprise portions for comparing computatio- 
ns nal results from such parallel channels . 



A. A. Avizienis, Ph. D. / xAAA-02 



78 



P. Lippman / June 20, 2001 



1 21. The apparatus of claim 20, wherein: 

2 the parallel channels of the computing system are of di- 

3 verse design or origin. 

1 22. The apparatus of claim 13 , particularly for use with a 

2 computing system that has plural processors; and wherein: 

3 the circuits comprise portions for identifying failure of 

4 any of such processors and correcting for identified failure. 

1 23. The apparatus of claim 13, wherein: 

2 the circuits comprise modules for collecting and respond- 

3 ing to data received from at least one of the terminals, said 

4 modules comprising: 



5 

e at least three data-collecting and -responding mod- 
7 ules , and 

8 

9 processing sections for conferring among the modules 

10 to determine whether any of the modules has 

11 failed. 
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1 24. The apparatus of claim 13 , particularly for use with a 

2 computing system that is substantially exclusively made of 

3 substantially commercial, off-the-shelf components and that 

4 has at least one subsystem for generating a response of the 

5 system to failure, and that also has at least one subsystem 

6 for receiving recovery commands; and wherein: 

7 the circuits comprise portions for interposing analysis 

8 and a corrective reaction between the response-generating sub- 
s' system and the command-receiving subsystem. 



1 25. Apparatus for deterring failure of a computing system 

2 that has at least one software subsystem for conferring resis- 

3 tance to failure of the system; said apparatus comprising: 

4 a network of components having terminals for connection 

5 to such system ; and 

6 circuits of the network for operating programs to guard 

7 such system from failure; 

8 the circuits comprising substantially no portion that in- 

9 terferes with such failure-resistance software subsystem. 
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1 26. The apparatus of claim 25 , further comprising: 

2 such computing system, including such at least one soft- 

3 ware subsystem . 

1 27. The apparatus of claim 25 , particularly for use with a 

2 computing system that is substantially exclusively made of 

3 substantially commercial, off-the-shelf components and that 

4 has at least one hardware subsystem for generating a response 

5 of the system to failure; and wherein: 

6 the circuits comprise portions for reacting to said re- 

7 sponse of such hardware subsystem. 



A. A. Avizienis, Ph. D. / xAAA-02 



81 



P. Lippman / June 20, 2001 



28. The apparatus of claim 25, particularly for use with a 
computing system that has plural generally parallel computing 
channels; and wherein: 

the circuits comprise portions for comparing computatio- 
nal results from such parallel channels . 

29. The apparatus of claim 28, wherein: 

the parallel channels of the computing system are of di- 
verse design or origin. 

30. The apparatus of claim 25, particularly for use with a 
computing system that has plural processors; and wherein: 

the circuits comprise portions for identifying failure of 
any of such processors and correcting for identified failure. 
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31. The apparatus of claim 25, wherein: 

the circuits comprise modules for collecting and respond- 
ing to data received from at least one of the terminals, said 
modules comprising : 

at least three data-collecting and -responding mod- 
ules , and 

processing sections for conferring among the modules 
to determine whether any of the modules has 
failed. 

32. The apparatus of claim 25, particularly for use with a 
computing system that is substantially exclusively made of 
substantially commercial, off-the-shelf components and that 
has at least one subsystem for generating a response of the 
system to failure, and that also has at least one subsystem 
for receiving recovery commands; and wherein: 

the circuits comprise portions for interposing analysis 
and a corrective reaction between the response-generating sub- 
system and the command-receiving subsystem . 
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33. Apparatus for deterring failure of a computing system 
that is substantially exclusively made of substantially com- 
mercial, off-the-shelf components and that has at least one 
hardware subsystem for generating a response of the system to 
failure; said apparatus comprising: 

a network of components having terminals for connection 
to such system; and 

circuits of the network for operating programs to guard 
such system from failure; 

the circuits comprising portions for reacting to said 
response of such hardware subsystem. 

34. The apparatus of claim 33, wherein: 

the reacting portions comprise sections for evaluating 
the hardware -subsystem response to establish characteristics 
of at least one recovery signal . 
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35. The apparatus of claim 34 , wherein: 

the reacting portions comprise sections for applying the 
at least one recovery signal to such system, 

36. The apparatus of claim 33, further comprising: 

such computing system, including such hardware subsystem. 

37. The apparatus of claim 33, particularly for use with a 
computing system that has plural generally parallel computing 
channels; and wherein: 

the circuits comprise portions for comparing computatio- 
nal results from such parallel channels . 

38. The apparatus of claim 37, wherein: 

the parallel channels of the computing system are of di- 
verse design or origin. 
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39. The apparatus of claim 33 , particularly for use with a 
computing system that has plural processors; and wherein: 

the circuits comprise portions for identifying failure of 
any of such processors and correcting for identified failure. 

40. The apparatus of claim 33, wherein: 

the circuits comprise modules for collecting and respond- 
ing to data received from at least one of the terminals, said 
modules comprising: 

at least three data-collecting and -responding mod- 
ules , and 

processing sections for conferring among the modules 
to determine whether any of the modules has 
failed. 
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41. The apparatus of claim 33, particularly for use with a 
computing system that is substantially exclusively made of 
substantially commercial, off-the-shelf components and that 
has at least one subsystem for generating a response of the 
system to failure, and that also has at least one subsystem 
for receiving recovery commands; and wherein: 

the circuits comprise portions for interposing analysis 
and a corrective reaction between the response-generating sub- 
system and the command-receiving subsystem. 

42 . Apparatus for deterring failure of a computing system 
that is distinct from the apparatus and that has plural gen- 
erally parallel computing channels; said apparatus comprising: 

a network of components having terminals for connection 
to such system; and 

circuits of the network for operating programs to guard 
such system from failure; 

the circuits comprising portions for comparing computa- 
tional results from such parallel channels . 
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43. The apparatus of claim 42, wherein: 

the parallel channels of the computing system are of di- 
verse design or origin. 

44. The apparatus of claim 42, wherein: 

the comparing portions comprise at least one section for 
analyzing discrepancies between the results from such parallel 
channels . 

45. The apparatus of claim 44, wherein: 

the comparing portions further comprise at least one 
section for imposing corrective action on such system in view 
of the analyzed discrepancies . 

46. The apparatus of claim 45, wherein: 

the at least one discrepancy-analyzing section uses a 
majority voting criterion for resolving discrepancies. 
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47. The apparatus of claim 42, further comprising: 
such computing system. 

48. The apparatus of claim 47 , wherein: 

the parallel channels of the computing system are of di- 
verse design or origin. 

49. The apparatus of claim 48, wherein: 

the comparing portions comprise circuitry for performing 
an algorithm to validate a match that is inexact. 

50. The apparatus of claim 49, wherein: 

the algorithm-performing circuitry employs a degree of 
inexactness suited to a type of computation under comparison. 
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51. The apparatus of claim 49, wherein: 

the algorithm-performing circuitry performs an algorithm 
that selects a degree of inexactness based on type of computa- 
tion under comparison. 

52. The apparatus of claim 42, particularly for use with a 
computing system that has plural processors; and wherein: 

the circuits comprise portions for identifying failure of 
any of such processors and correcting for identified failure. 
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1 53. The apparatus of claim 42, wherein: 

2 the circuits comprise modules for collecting and respond- 

3 ing to data received from at least one of the terminals, said 

4 modules comprising : 



5 

6 at least three data-collecting and -responding mod- 

7 ules , and 

8 

9 processing sections for conferring among the modules 

10 to determine whether any of the modules has 

11 failed. 



1 54. The apparatus of claim 42, particularly for use with a 

2 computing system that is substantially exclusively made of 

3 substantially commercial, off-the-shelf components and that 

4 has at least one subsystem for generating a response of the 

5 system to failure, and that also has at least one subsystem 

6 for receiving recovery commands; and wherein: 

7 the circuits comprise portions for interposing analysis 

8 and a corrective reaction between the response-generating sub- 

9 system and the command-receiving subsystem. 
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55. Apparatus for deterring failure of a computing system 
that has plural processors; said apparatus comprising: 

a network of components having terminals for connection 
to such system; and 

circuits of the network for operating programs to guard 
such system from failure; 

the circuits comprising portions for identifying failure 
of any of such processors and correcting for identified 
failure . 

56. The apparatus of claim 55 , wherein: 

the identifying portions comprise a section that corrects 
for the identified failure by taking a failed processor out of 
operation . 
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57. The apparatus of claim 56, wherein: 

the section comprises parts for taking a processor out of 
operation only in case of signals indicating that the proces- 
sor has failed permanently. 

58. The apparatus of claim 55 , wherein: 

the identifying portions comprise a section that substi- 
tutes and powers up a spare circuit for a processor taken out 
of operation. 

59. The apparatus of claim 55, further comprising: 
such computing system. 
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1 60. The apparatus of claim 55, wherein: 

2 the circuits comprise modules for collecting and respond- 

3 ing to data received from at least one of the terminals, said 

4 modules comprising : 

5 

6 at least three data-collecting and -responding mod- 

7 ules , and 

8 

9 processing sections for conferring among the modules 

20 to determine whether any of the modules has 

ii failed. 



1 61. The apparatus of claim 55, particularly for use with a 

2 computing system that is substantially exclusively made of 

3 substantially commercial, off-the-shelf components and that 

4 has at least one subsystem for generating a response of the 

5 system to failure, and that also has at least one subsystem 

6 for receiving recovery commands ; and wherein : 

7 the circuits comprise portions for interposing analysis 

8 and a corrective reaction between the response-generating sub- 

9 system and the command-receiving subsystem. 
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1 62. Apparatus for deterring failure of a computing system; 

2 said apparatus comprising: 

3 a network of components having terminals for connection 

4 to such system; and 

5 circuits of the network for operating programs to guard 

6 such system from failure; 

7 the circuits comprising modules for collecting and re- 

8 sponding to data received from at least one of the terminals, 

9 said modules comprising: 

10 

n at least three data-collecting and -responding mod- 

12 ules, and 

13 

14 processing sections for conferring among the modules 

is to determine whether any of the modules has 

16 failed. 



1 63. The apparatus of claim 62, further comprising: 

2 such computing system. 
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64. The apparatus of claim 62, particularly for use with a 
computing system that is substantially exclusively made of 
substantially commercial , off-the-shelf components and that 
has at least one subsystem for generating a response of the 
system to failure, and that also has at least one subsystem 
for receiving recovery commands; and wherein: 

the circuits comprise portions for interposing analysis 
and a corrective reaction between the response-generating sub- 
system and the command-receiving subsystem. 
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1 65. Apparatus for deterring failure of a computing system 

2 that is substantially exclusively made of substantially com- 

3 mercial, off-the-shelf components and that has at least one 

4 subsystem for generating a response of the system to failure, 

5 and that also has at least one subsystem for receiving recov- 

6 ery commands; said apparatus comprising: 

7 a network of components having terminals for connection 

8 to such system between the response-generating subsystem and 

9 the recovery-command- receiving subsystem; and 

io circuits of the network for operating programs to guard 

n such system from failure; 

12 the circuits comprising portions for interposing analysis 

13 and a corrective reaction between the response-generating sub- 

14 system and the command-receiving subsystem. 

1 66. The apparatus of claim 62, further comprising: 

2 such computing system. 
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